My roommate apparently got a virus or more, on her computer. It was one of those fake shields with pop-ups saying things were infected that asking you to pay for software. I managed to get rid of that (I think). But then she noticed that google links were being re-directed to random sites.

I searched here, and found several similar cases, so I ran through the 8 steps. Log sheets are attached.

I also ran combofix, which seemed to be the next step in all the posts. Though I now see the sticky saying not to run it unless told, my bad. It did seem to have some issues running. I ran it once, and it downloaded a new version then during autoscan, a Microsoft error window (PEV.exe needed to close... do you want to send report...), but Combofix was still running so I just ignored the window. CF then restarted the computer after saying it found an infection. On start-up it CF came up and said it couldn't find Combo-fix.sys, then said it was creating a log sheet, then the computer just restarted, and CF never came back up. I renamed combofix to combo-fix and re-ran. This time, no windows popped up, it found no infections, but after it said it was creating a log sheet, it just restarted again and combofix never came back up. I looked and found the log sheet but it didn't really have any details, basically same as the one attached. I ran it a third time, and it found an infection, restarted, said it was creating log sheet, then restarted again, with no log sheet displayed.

The google redirect is still there. Any help would be greatly appreciated.

Delete or fix this entry in the hijackthis log:
"O17 - HKLM\System\CCS\Services\Tcpip\..\{D34AE06B-90B9-4A29-884C-130EC9D093FA}: NameServer = 151.164.8.201,66.73.20.40"

After you fix this, try running the ESET Online Scanner:
Eset Scanner

Post your results

Thats not the complete ComboFix log, post it. Should be C:\ComboFix.txt

Don't fix that HijackThis entry.

I already 'fixed' the entry, and was running the enet scanner. Is there a way to replace that entry if needed?

As for the combofix log, that is all there is in c:\combofix.txt Though technically it is C:\Combo-fix\combofix.txt if that makes any difference.

I tried running combofix a few times and each time it restarts right after it says its preparing the log, and it never brings it up.

So kritius,
you are a combofix advocate. I saw those tcpip entries in 3 hijackthis logs of computers suffering with search redirect issues here. Some of the IP adresses go to sites, others go nowhere. How do you tell if these are legitimate or not? With browser redirects, this tcpip entry was a logical concern

Are you still being redirected? What were the ESET results?

Whois the entry, they come up legit.

Delete the copy of ComboFix that you have off your desktop and then,

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Eset is still running. I can't tell if its still re-directing because the internet connection seems to be down now. Don't know if Eset is just running off of my computer now or if it was able to maintain a connection, but IE and Firefox just bring up the "can't find the page" window.

If that entry is an issue, I may have more problems. The same (or nearly identical) entry is listed twice on this computer, which has had no issues at all. See log attached

Yes christo76,
That line 17 entry is back with an addition... Let ESET finish and we will see if the redirects are still active

Tmagic, that last log was from a second computer. I posted it because it also has the O17 entry and was worried it too could have issues that haven't shown up yet.

Right now the original computer seems to have lost all internet capabilites since deleting that line and starting Eset. If I go into Network Connections in the control panel, its an empty folder. Tried making a new connection for broadband, but the network wizard says it can't make a new one because it should just work.

I restored the O17 line in Hijackthis, and the internet connection is working again. Deleted Combofix and downloaded new version and it is running now.

Eset found nothing.

Is your ISP AT&T Internet Services?

Lets focus on the actual malware, the redirects will be caused by a modified file, HijackThis will not show this, ESET will not help it.

We need to get a ComboFix log so we can see what file it is.

Yeah, Tmagic65 killed your internet connection

http://samspade.org/whois/151.164.8.201

Yes, ATT DSL is my internet service. Combofix ran and once again the log is basically empty. It finished the 50 stages, the window said "preparing log... Do not run any programs..." than after about 3-5 seconds the computer just restarted. Combofix never came back up, and after a few minutes I looked at the combofix.txt and it was same as the one posted earlier.

I realized I have been running the computer in selective start-up for the past few days, due to slow performance and the initial Fake AV. DOn't know if that has any effect on the combofix log. But I put it back to normal startup and am running combofix again, hoping to get a full log.

At least, I got your attention I connect to the Internet through a cable broadband router. Is that why the tcpip entry doesn't show up in my hijackthis log?

Tried combofix again, this time in normal startup, but I get the exact same thing. It says its preparing the log, then the computer restarts, and combofix doesn't start back up and the log just shows the initial info of times, locations and AV software.

Is there anything that causes this?

Some AV's can cause this, completely uninstall Avast and try again.

If that doesn't work, look in the qoobox folder for a file called ComboFix deletions or similar, post it here.

Then,

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Combofix still didn't create full log. Should I uninstall superantispyware? I have it turned off while running combofix, but it does come up when the computer restarts.

Inside the qoobox folder there is 2 files, ndis.sys & loga. And 5 folders, BackEnv, LastRun, Quarantine, Test, TestC. None seem to have any files related to combofix or deletions.

I ran GMER. Here is the results.

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-18 19:01:20
Windows 5.1.2600 Service Pack 3
Running: oxs2vvqd.exe; Driver: C:\DOCUME~1\JULIEP~1\LOCALS~1\Temp\uxtdypod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xED3EC0B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 451 804E2AAD 3 Bytes [C0, 3E, ED] {SAR BYTE [ESI], 0xed}

---- Devices - GMER 1.0.15 ----

Device \Driver\00000340 -> \Driver\atapi \Device\Harddisk0\DR0 82F52170

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

Ok, download this file. HERE , save it to your C:\ Drive

then go to start and then run and type cmd

cd\
c:\mbr.exe -t
c:\mbr.log

A log file (c:\mbr.log) will open. Post the contents of it to your reply

Here is the mbr.log


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F52170]<<
kernel: MBR read successfully
user & kernel MBR OK